Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-12-20 Thread Jacob Appelbaum 
It may make sense for us to have a package of paxrat with common
configurations for Debian users:

  https://github.com/subgraph/paxrat

This would ensure that everyone can use this kernel and have xorg work
as expected, for example.

Otherwise, I think we will see a lot of people who just run:

  paxctl -m /usr/bin/Xorg

paxctl one off runs isn't great for a full solution.

paxrat improves on this as package updates and other things can stomp
on pax related xattributes. paxrat seems very very useful in this
context - we get configuration files as well as dpkg hooks.

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-12-19 Thread Jacob Appelbaum 
On 12/19/15, Yves-Alexis Perez  wrote:
> On jeu., 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
>> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
>> > This is really a work in progress and this mail a request for comment.
>> > Especially missing is:
>>
>> So, did any of you have the chance to test it? I'm currently running the
>> 4.2.5
>> kernel with grsecurity-3.1-4.2.5-201511021814 (just uploaded to my
>> repository
>> and to git.d.o) and it works just fine.
>>
>> I'm really interested by any feedback you would have on this.
>>
> With a lot of help from Ben I've made quite some progress in having the
> less possible differences with src:linux package. With 4.3.3 we still have few
> things differing, some of them which I think will be integrated in the
> upcoming src:linux releases.
>

Great news - this looks fantastic!

> I'm intending to upload the current version to NEW during the week-end, so
> if any of you want to test it, now would be a good time.
>

I've installed it - I've also tuned a few things. It seems to work as
well as my previous kernel - audio works, etc.

> You can find it on the git repository
> at https://anonscm.debian.org/cgit/colla
> b-maint/linux-grsec.git and the source and binary packages on my apt
> repository
> at https://perso.corsac.net/~corsac/debian/kernel-grsec/packages/

To boot Debian Jessie (with some testing pacakes too) to X - I had to set:

kernel.grsecurity.disable_priv_io=0
kernel.pax.softmode=1
kernel.grsecirity.grsec_lock=0

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-12-19 Thread Ben Hutchings 
On Sat, 2015-12-19 at 17:03 +, Jacob Appelbaum wrote:
> On 12/19/15, Jacob Appelbaum  wrote:
[...]
> > To boot Debian Jessie (with some testing pacakes too) to X - I had to set:
> > 
> > kernel.grsecurity.disable_priv_io=0
> > kernel.pax.softmode=1
> > kernel.grsecirity.grsec_lock=0
> > 
> 
> With that stuff set - I also see the following:
> 
> Dec 19 17:44:32 vula kernel: [ 4047.508272] WARNING: CPU: 5 PID: 2109
> at /build/linux-grsec-4.3.3/debian/build/s
> ource_grsec/include/drm/drm_crtc.h:1577
> drm_helper_choose_crtc_dpms+0x8e/0x90 [drm_kms_helper]()
[...]
> Lots of things like that in my kernel log...

Almost certainly an upstream bug.  See
 for bug reporting.

Ben.

-- 
Ben Hutchings
Always try to do things in chronological order;
it's less confusing that way.

signature.asc
Description: This is a digitally signed message part

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-12-19 Thread Jacob Appelbaum 
On 12/19/15, Jacob Appelbaum  wrote:
> On 12/19/15, Yves-Alexis Perez  wrote:
>> On jeu., 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
>>> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
>>> > This is really a work in progress and this mail a request for comment.
>>> > Especially missing is:
>>>
>>> So, did any of you have the chance to test it? I'm currently running the
>>> 4.2.5
>>> kernel with grsecurity-3.1-4.2.5-201511021814 (just uploaded to my
>>> repository
>>> and to git.d.o) and it works just fine.
>>>
>>> I'm really interested by any feedback you would have on this.
>>>
>> With a lot of help from Ben I've made quite some progress in having the
>> less possible differences with src:linux package. With 4.3.3 we still have
>> few
>> things differing, some of them which I think will be integrated in the
>> upcoming src:linux releases.
>>
>
> Great news - this looks fantastic!
>
>> I'm intending to upload the current version to NEW during the week-end,
>> so
>> if any of you want to test it, now would be a good time.
>>
>
> I've installed it - I've also tuned a few things. It seems to work as
> well as my previous kernel - audio works, etc.
>
>> You can find it on the git repository
>> at https://anonscm.debian.org/cgit/colla
>> b-maint/linux-grsec.git and the source and binary packages on my apt
>> repository
>> at https://perso.corsac.net/~corsac/debian/kernel-grsec/packages/
>
> To boot Debian Jessie (with some testing pacakes too) to X - I had to set:
>
> kernel.grsecurity.disable_priv_io=0
> kernel.pax.softmode=1
> kernel.grsecirity.grsec_lock=0
>

With that stuff set - I also see the following:

Dec 19 17:44:32 vula kernel: [ 4047.508272] WARNING: CPU: 5 PID: 2109
at /build/linux-grsec-4.3.3/debian/build/s
ource_grsec/include/drm/drm_crtc.h:1577
drm_helper_choose_crtc_dpms+0x8e/0x90 [drm_kms_helper]()
Dec 19 17:44:32 vula kernel: [ 4047.508272] Modules linked in:
binfmt_misc cfg80211 bridge stp llc snd_hda_codec
_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel
snd_hda_codec nouveau snd_hda_core intel_rapl io
sf_mbi snd_hwdep ttm eeepc_wmi x86_pkg_temp_thermal asus_wmi
drm_kms_helper sparse_keymap intel_powerclamp coret
emp snd_pcm rfkill drm iTCO_wdt video iTCO_vendor_support i2c_algo_bit
snd_timer kvm_intel fb_sys_fops mxm_wmi sb_edac syscopyarea psmouse
pcspkr mei_me serio_raw edac_core kvm joydev lpc_ich sysfillrect mei
snd mfd_core evdev sysimgblt soundcore i2c_i801 shpchp 8250_fintek wmi
tpm_infineon tpm_tis processor tpm button loop fuse autofs4 ext4 crc16
mbcache jbd2 algif_skcipher af_alg uas usb_storage hid_generic
hid_cherry usbhid hid dm_crypt dm_mod sg sd_mod crct10dif_pclmul
crc32_pclmul crc32c_intel jitterentropy_rng hmac drbg ahci libahci
ansi_cprng aesni_intel aes_x86_64 xhci_pci lrw gf128mul glue_helper
ablk_helper ehci_pci libata ehci_hcd xhci_hcd cryptd e1000e ptp
scsi_mod usbcore usb_common pps_core
Dec 19 17:44:32 vula kernel: [ 4047.508303] CPU: 5 PID: 2109 Comm:
kworker/5:0 Tainted: GW   4.3.0-1-grsec-amd64 #1 Debian
4.3.3-1+grsec1
Dec 19 17:44:32 vula kernel: [ 4047.508304] Hardware name: System
manufacturer System Product Name/P9X79, BIOS 4608 12/24/2013
Dec 19 17:44:32 vula kernel: [ 4047.508305] Workqueue: events a0696b70
Dec 19 17:44:32 vula kernel: [ 4047.508305]  
729b2a82b7c3ba87  a04779a0
Dec 19 17:44:32 vula kernel: [ 4047.508307]  812f376f
 810648e7 880dfb95d000
Dec 19 17:44:32 vula kernel: [ 4047.508308]  880036954000
 0003 
Dec 19 17:44:32 vula kernel: [ 4047.508310] Call Trace:
Dec 19 17:44:32 vula kernel: [ 4047.508314]  [] ?
sysrq_drm_fb_helper_restore_op+0x20/0x2db9 [drm_kms_helper]
Dec 19 17:44:32 vula kernel: [ 4047.508315]  [] ?
dump_stack+0x40/0x61
Dec 19 17:44:32 vula kernel: [ 4047.508317]  [] ?
warn_slowpath_common+0x77/0xb0
Dec 19 17:44:32 vula kernel: [ 4047.508319]  [] ?
drm_helper_choose_crtc_dpms+0x8e/0x90 [drm_kms_helper]
Dec 19 17:44:32 vula kernel: [ 4047.508322]  [] ?
drm_helper_connector_dpms+0x60/0x100 [drm_kms_helper]
Dec 19 17:44:32 vula kernel: [ 4047.508338]  [] ?
nouveau_connector_hotplug+0x69/0xb0 [nouveau]
Dec 19 17:44:32 vula kernel: [ 4047.508346]  [] ?
nvif_notify_work+0x2c/0xc0 [nouveau]
Dec 19 17:44:32 vula kernel: [ 4047.508355]  [] ?
nvkm_notify_work+0x78/0x80 [nouveau]
Dec 19 17:44:32 vula kernel: [ 4047.508356]  [] ?
process_one_work+0x14d/0x390
Dec 19 17:44:32 vula kernel: [ 4047.508358]  [] ?
worker_thread+0x63/0x490
Dec 19 17:44:32 vula kernel: [ 4047.508359]  [] ?
rescuer_thread+0x320/0x320
Dec 19 17:44:32 vula kernel: [ 4047.508360]  [] ?
kthread+0xeb/0x110
Dec 19 17:44:32 vula kernel: [ 4047.508362]  [] ?
kthread_park+0x60/0x60
Dec 19 17:44:32 vula kernel: [ 4047.508363]  [] ?
ret_from_fork+0x3e/0x70
Dec 19 17:44:32 vula kernel: [ 4047.508364]  [] ?
kthread_park+0x60/0x60
Dec 19 17:44:32 vula kernel:

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-12-19 Thread Yves-Alexis Perez 
On jeu., 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
> > This is really a work in progress and this mail a request for comment.
> > Especially missing is:
> 
> So, did any of you have the chance to test it? I'm currently running the
> 4.2.5
> kernel with grsecurity-3.1-4.2.5-201511021814 (just uploaded to my
> repository
> and to git.d.o) and it works just fine.
> 
> I'm really interested by any feedback you would have on this.
> 
With a lot of help from Ben I've made quite some progress in having the less
possible differences with src:linux package. With 4.3.3 we still have few
things differing, some of them which I think will be integrated in the
upcoming src:linux releases.

I'm intending to upload the current version to NEW during the week-end, so if
any of you want to test it, now would be a good time.

You can find it on the git repository at https://anonscm.debian.org/cgit/colla
b-maint/linux-grsec.git and the source and binary packages on my apt
repository at https://perso.corsac.net/~corsac/debian/kernel-grsec/packages/

Any comment appreciated, obviously.

Regards,
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-11-12 Thread Yves-Alexis Perez 
On sam., 2015-11-07 at 14:54 +, Ben Hutchings wrote:
> 1. linux-grsec-{source,support} are included in debian/control but not
> built by debian/rules.real.  I think these should be built; the latter
> will be needed to build metapackages as in linux-latest.
> 
> 
> 3. The changes to gencontrol.py and rules.real to disable most arch:all
> packages should depend on configuration, not the source package name.
> They would then be acceptable for inclusion on the master branch.
> 
So following your patch, I've pushed a split-docs [1] branch on my git
repository implenting this

I used the section name [docs] with enabled: true by default, and I used
DO_DOCS environment variable to pass the information from rules.gen to
rules.real (like FOREIGN_KERNEL case for example), I hope that's the right
thing to do.

I guess I could also call the env var SKIP_DOCS with the opposite logic if you
prefer (at that point it's really bikeshedding I guess).

I /think/ those two patches should be acceptable for inclusion.

Regards,

[1] https://anonscm.debian.org/cgit/collab-maint/linux-grsec.git/log/?h=split-
docs
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-11-10 Thread Ben Hutchings 
On Tue, 2015-11-10 at 10:42 +0100, Yves-Alexis Perez wrote:
> On sam., 2015-11-07 at 14:54 +, Ben Hutchings wrote:
> > I've given this a quick review and found a few issues:
> 
> Thanks!
> > 
> > 1. linux-grsec-{source,support} are included in debian/control but not
> > built by debian/rules.real.  I think these should be built; the latter
> > will be needed to build metapackages as in linux-latest.
> 
> Done. Right now the package name is hardcoded in debian/rules.real, I'll see
> if there's a way to get it from the configuration somehow (after I get more
> info from the #3 and #4 replies).

This seems to work:

--- a/debian/rules.real
+++ b/debian/rules.real
@@ -13,6 +13,7 @@ DEB_HOST_MULTIARCH:= $(shell dpkg-architecture -a'$(ARCH)' 
-qDEB_HOST_MULTIARCH)
 DEB_BUILD_ARCH:= $(shell dpkg-architecture -a'$(ARCH)' -qDEB_BUILD_ARCH)
 endif
 MAINTAINER := $(shell sed -ne 's,^Maintainer: .[^<]*<\([^>]*\)>,\1,p' 
debian/control)
+SOURCE_PACKAGE_NAME := $(shell dpkg-parsechangelog -SSource)
 DISTRIBUTION := $(shell dpkg-parsechangelog -SDistribution)
 SOURCE_DATE := $(shell dpkg-parsechangelog -SDate)
 SOURCE_DATE_UTC_ISO := $(shell date -u -d '$(SOURCE_DATE)' +%Y-%m-%d)
@@ -191,7 +192,7 @@ install-dummy:
    dh_prep
    +$(MAKE_SELF) install-base
 
-install-doc: PACKAGE_NAME = linux-doc-$(VERSION)
+install-doc: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-doc-$(VERSION)
 install-doc: DIR = $(BUILD_DIR)/build-doc
 install-doc: PACKAGE_DIR = debian/$(PACKAGE_NAME)
 install-doc: OUT_DIR = $(PACKAGE_DIR)/usr/share/doc/$(PACKAGE_NAME)
@@ -210,7 +211,7 @@ install-doc: $(STAMPS_DIR)/build-doc
    gzip -9nqfr $(OUT_DIR)/Documentation
    +$(MAKE_SELF) install-base
 
-install-manual: PACKAGE_NAME = linux-manual-$(VERSION)
+install-manual: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-manual-$(VERSION)
 install-manual: DIR=$(BUILD_DIR)/build-doc
 install-manual: DH_OPTIONS = -p$(PACKAGE_NAME)
 install-manual: $(STAMPS_DIR)/build-doc
@@ -329,7 +330,7 @@ install-libc-dev_$(ARCH):
 
    +$(MAKE_SELF) install-base
 
-install-support: PACKAGE_NAME = linux-support-$(ABINAME)
+install-support: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-support-$(ABINAME)
 install-support: DH_OPTIONS = -p$(PACKAGE_NAME)
 install-support: PACKAGE_DIR = debian/$(PACKAGE_NAME)
 install-support: PACKAGE_ROOT = /usr/share/$(PACKAGE_NAME)
@@ -440,7 +441,7 @@ install-udeb_$(ARCH):
    dh_gencontrol
    dh_builddeb
 
-install-source: PACKAGE_NAME = linux-source-$(VERSION)
+install-source: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-source-$(VERSION)
 install-source: DH_OPTIONS = -p$(PACKAGE_NAME)
 install-source: $(BUILD_DIR)/linux-source-$(UPSTREAMVERSION).tar.xz $(foreach 
FEATURESET,$(filter-out 
none,$(ALL_FEATURESETS)),$(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-$(FEATURESET).patch.xz)
    dh_testdir
--- a/debian/templates/control.main.in
+++ b/debian/templates/control.main.in
@@ -1,4 +1,4 @@
-Package: linux-source-@version@
+Package: @source_package@-source-@version@
 Build-Profiles: 
 Architecture: all
 Section: kernel
@@ -13,7 +13,7 @@ Description: Linux kernel source for version @version@ with 
Debian patches
  features that have already been (or are believed to be) accepted by the
  upstream maintainers.
 
-Package: linux-doc-@version@
+Package: @source_package@-doc-@version@
 Build-Profiles: 
 Architecture: all
 Depends: ${misc:Depends}
@@ -27,7 +27,7 @@ Description: Linux kernel specific documentation for version 
@version@
  /usr/share/doc/linux-doc-@version@/Documentation/00-INDEX
  for the detailed description of the contents.
 
-Package: linux-manual-@version@
+Package: @source_package@-manual-@version@
 Build-Profiles: 
 Architecture: all
 Depends: ${misc:Depends}
@@ -46,7 +46,7 @@ Description: Linux kernel API manual pages for version 
@version@
  may be installed at a time.  The linux-doc package containing the
  documentation in other formats is free from such restriction.
 
-Package: linux-support-@abiname@
+Package: @source_package@-support-@abiname@
 Build-Profiles: 
 Architecture: all
 Section: devel
--- END ---

[...]
> > 3. The changes to gencontrol.py and rules.real to disable most arch:all
> > packages should depend on configuration, not the source package name.
> > They would then be acceptable for inclusion on the master branch.
> 
> By “configuration”, I guess you mean stuff in debian/config/featureset-
> grsec/defines? Unfortunately some of the stuff I touch in gencontrol.py and
> rules.real is not run when featureset is defined, but is more generic than
> that.
> 
> Or do you mean I would then modify debian/config/defines (and not the one
> under the featureset-grsec folder) in src;linux-grsec?

You would modify debian/config/defines.

> > 4. There's no need to remove the templates for packages you don't
> > build.  However, if you leave them in place, you'll need to override
> > do_extra() in gencontrol.py to omit the extra packages dependent on the
> > configuration (as for (3)).
> 
> Ok, I'll check

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-11-10 Thread Yves-Alexis Perez 
On sam., 2015-11-07 at 14:54 +, Ben Hutchings wrote:
> I've given this a quick review and found a few issues:

Thanks!
> 
> 1. linux-grsec-{source,support} are included in debian/control but not
> built by debian/rules.real.  I think these should be built; the latter
> will be needed to build metapackages as in linux-latest.

Done. Right now the package name is hardcoded in debian/rules.real, I'll see
if there's a way to get it from the configuration somehow (after I get more
info from the #3 and #4 replies).
> 
> 2. udebs are included in debian/control but not built, and they should
> not be built.   You can fix this by deleting or commenting-out
> debian/installer/{amd64,i386}/kernel-versions

Good point. I'm currently disabling them by
using DEBIAN_KERNEL_DISABLE_INSTALLER when running gencontrol.py. Thanks for
the pointer.
> 
> 3. The changes to gencontrol.py and rules.real to disable most arch:all
> packages should depend on configuration, not the source package name.
> They would then be acceptable for inclusion on the master branch.

By “configuration”, I guess you mean stuff in debian/config/featureset-
grsec/defines? Unfortunately some of the stuff I touch in gencontrol.py and
rules.real is not run when featureset is defined, but is more generic than
that.

Or do you mean I would then modify debian/config/defines (and not the one
under the featureset-grsec folder) in src;linux-grsec?
> 
> 4. There's no need to remove the templates for packages you don't
> build.  However, if you leave them in place, you'll need to override
> do_extra() in gencontrol.py to omit the extra packages dependent on the
> configuration (as for (3)).

Ok, I'll check that. Again, what do you envision as configuration: a “source
package name” in debian/config/defines? Or even a boolean “grsec”? Or more
generic than that, a “build_extra” boolean?
> 
> 5. CONFIG_X86_X32 should be disabled, since you've disabled the patch
> to make x32 support dependent on a kernel parameter.

Ok, done.
> 
> 6. In debian/patches/features/all/grsec/gen-patch you can use the
> filterdiff -p1 to avoid assuming the path prefix will be 'b/'.

Thanks, done as well.

I've not yet pushed the local changes, I'll wait a bit for the replies.

Regards,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-11-07 Thread Ben Hutchings 
On Thu, 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
> > This is really a work in progress and this mail a request for comment.
> > Especially missing is:
> 
> So, did any of you have the chance to test it? I'm currently running the 4.2.5
> kernel with grsecurity-3.1-4.2.5-201511021814 (just uploaded to my repository
> and to git.d.o) and it works just fine.
> 
> I'm really interested by any feedback you would have on this.

I've given this a quick review and found a few issues:

1. linux-grsec-{source,support} are included in debian/control but not
built by debian/rules.real.  I think these should be built; the latter
will be needed to build metapackages as in linux-latest.

2. udebs are included in debian/control but not built, and they should
not be built.   You can fix this by deleting or commenting-out
debian/installer/{amd64,i386}/kernel-versions

3. The changes to gencontrol.py and rules.real to disable most arch:all
packages should depend on configuration, not the source package name.
They would then be acceptable for inclusion on the master branch.

4. There's no need to remove the templates for packages you don't
build.  However, if you leave them in place, you'll need to override
do_extra() in gencontrol.py to omit the extra packages dependent on the
configuration (as for (3)).

5. CONFIG_X86_X32 should be disabled, since you've disabled the patch
to make x32 support dependent on a kernel parameter.

6. In debian/patches/features/all/grsec/gen-patch you can use the
filterdiff -p1 to avoid assuming the path prefix will be 'b/'.

Ben.

-- 
Ben Hutchings
Unix is many things to many people,
but it's never been everything to anybody.

signature.asc
Description: This is a digitally signed message part

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-11-05 Thread Yves-Alexis Perez 
On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
> This is really a work in progress and this mail a request for comment.
> Especially missing is:

So, did any of you have the chance to test it? I'm currently running the 4.2.5
kernel with grsecurity-3.1-4.2.5-201511021814 (just uploaded to my repository
and to git.d.o) and it works just fine.

I'm really interested by any feedback you would have on this.

Regards,
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part

Bug#605090: [RFC] Proposal for a new linux-grsec source package

2015-10-10 Thread Yves-Alexis Perez 
control: reassign -1 wnpp
control: retitle -1 ITP: linux-grsec -- Linux kernel with grsecurity patch

On mer., 2015-09-30 at 12:53 +0200, Yves-Alexis Perez wrote:
> I should be able to push something for review pretty soon

So here we are. I've pushed a git tree [1] of a linux-grsec source
package, heavily based on src:linux (it's actually a clone of linux.git
and I've worked in a grsec/sid branch).

I've kept the featureset idea, and on top of that:

- disabled all regular packages from src:linux (linux-libc-dev and
friends)
- disabled all non grsecurity featureset
- renamed the source package to linux-grsec

You can build it the same way you build the src:linux from git. I've
also uploaded packages for sid and Jessie to my repository [2],
including a .dsc [3] so rebuild should be easy.

This is really a work in progress and this mail a request for comment.
Especially missing is:

- various updates to the the debian/control templates (like
Maintainers/Uploaders etc.)
- updates to debian/copyright
- stuff I missed.

I started this with 4.1.7, updated from the v4.1.6-1 tag in the
linux.git. I've then pulled the 4.2.3-1 tag and it seemed to not break
that much, so it might indeed be workable (but we'll see in the long
run).

In any case, everything is in the git folder, and feel free to ask
questions if needed.

I don't intent to upload this to Debian right away, obviously :)

Regards,

[1] https://anonscm.debian.org/cgit/collab-maint/linux-grsec.git
[2] http://perso.corsac.net/~corsac/debian/kernel-grsec/packages/
[3] 
http://perso.corsac.net/~corsac/debian/kernel-grsec/packages/sid/linux-grsec_4.2.3-1.dsc
-- 
Yves-Alexis



signature.asc
Description: This is a digitally signed message part